How to enable CIFS Signing?

[postitnotes]

I've set up a test FreeNAS box with a ZFS volume, shared via CIFS. On a clean Windows machine I can map to the share with no issues, can read and write. On a machine joined to our Windows domain, it does not work. I get an error saying "The account is not authorized to log in from this station." This is a big problem for us as our design requires our Windows front-end servers to write to this file share over CIFS.

We've narrowed down the issue to a group policy setting that requires "Digitally signed communications." We discovered this thanks to this page: http://blog.kudosvenue.com/2010/05/18/vista-users-unable-to-access-cifs-shares/
I've tried adding "cifs.signing.enabled on" to the aux paramters in the CIFS setting on my FreeNAS server but it did not work (link is referencing a NetApp system so maybe the syntax is different). Is there anyway to enable this CIFS signing in FreeNAS?

 

[jpaetzel]

cifs.signing.enabled on is a netappsism, go ahead and take that out.

In the aux parameters on the samba settings put:

server signing = mandatory

 

[postitnotes]

I removed the previous setting and added "server signing = mandatory" to the aux parameters for CIFS. I tried turning off\on CIFS, rebooting the client and the server, I'm still getting the same "not authorized to log in from this station" error. Is there somewhere else I need to place this or another setting I need to set?

 

[James]

Can you attach your smb.conf?

 

[postitnotes]

[global]
encrypt passwords = yes
dns proxy = no
strict locking = no
read raw = yes
write raw = yes
oplocks = yes
max xmit = 65535
deadtime = 15
display charset = LOCALE
max log size = 10
syslog only = yes
syslog = 1
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
smb passwd file = /var/etc/private/smbpasswd
private dir = /var/etc/private
getwd cache = yes
guest account = nobody
map to guest = Bad Password
obey pam restrictions = Yes
# NOTE: read smb.conf.
directory name cache size = 0
server string = FreeNAS Server
use sendfile = yes
store dos attributes = yes
time server = yes
null passwords = yes
security = ADS
realm = XX.XX.COM
workgroup = A1
netbios name = ************
client use spnego = yes
cache directory = /var/tmp/.cache/.samba

wins server = *********XX.XX.XX.COM
password server = *********XX.XX.XX.COM

local master = no
domain master = no
preferred master = no

inherit acls = yes
acl compatibility = auto
acl check permissions = true
acl map full control = true
dos filemode = yes

idmap uid = 10000-19999
idmap gid = 10000-19999

winbind cache time = 10
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = no
winbind refresh tickets = yes

allow trusted domains = yes

template shell = /bin/sh
template homedir = /home/%D/%U

idmap config A1: backend = rid
idmap config A1: range = 20000-20000000
create mask = 0666
directory mask = 0777
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 2
aio read size = 4096
aio write size = 4096
server signing = mandatory

[custom]
path = /mnt/CUSTOM
printable = no
veto files = /.snap/.windows/.zfs/
comment = CUSTOM Share
writeable = yes
browseable = yes
inherit owner = yes
inherit permissions = yes
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: localtime = yes
shadow: format = auto-%Y%m%d.%H%M-2w
vfs objects = shadow_copy2 zfsacl
hide dot files = no
hosts allow = ALL
guest ok = no
inherit acls = Yes
map archive = No
map readonly = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes

 

[postitnotes]

I've attempted different versions of "mandatory" like "yes" "true" "forced" "enforce" and so on, I haven't been able to find any term that works. I turn off and on CIFS each time and nothing. I've tried rebooting once in awhile, still nothing.

 

[cyberjock]

I'm curious, why do you have that group policy in use? Are you concerned about a man-in-the-middle attack on your network?

Just off the top of my head I'm a little confused as to a situation where you wouldn't have alternate security methods that could only be solved by requiring digitally signed communications.

But I'm Googling this now because I'm curious how to enable this on FreeNAS...

Edit: Just to ask a dumb question(and it may not actually matter) but have to tried to map a SMB share from your domain to FreeNAS via command line? Does it actually work? Since going from FreeNAS into your domain is a no-go I wonder if the other way will work...

Another edit: Here's someone else that sounds like they are asking a similar question...https://lists.samba.org/archive/samba/2011-April/162201.html

- - - Updated - - -

Try...

server signing = auto

Apparently that is how you can solve your problem for Samba 3.5.2. Not sure about the version FreeNAS is using, but hopefully that's the fix.

And a little more. You didn't specify if the signing is forced on server or client or both. One website says that if you are forcing it on the server it "can cause problems with non Microsoft SMB implementation such as SAMBA". It then goes on to say to not enable this setting unless you want to prevent this computer from accepting SMB clients that don't support signing such as some Linux systems. Does that include FreeBSD/FreeNAS? I don't know.

 

[postitnotes]

We use that group policy for security reasons, we're essentially mandated to use that among other policies.

Through command line, I usually see the same error (I'm using 'net use' to map the drive).

I tried adding all 4 lines I saw:
client schannel = Auto
server schannel = Auto
client signing = Auto
server signing = Auto

Restarted CIFS and it didn't work. I'm trying each one by one (because I'm desperate) but I doubt it will work. Disabling the group policy setting is unlikely to happen since its a security mandate.

 

[cyberjock]

We use that group policy for security reasons, we're essentially mandated to use that among other policies.

Well, that's the only reason you'd use that group policy. But why? Typically your internal network infrastructure at home/work should be safe from a man in the middle attack and outside your network you should be running VPN with sufficient encryption. So I'm kind of failing to see where you'd actually need that policy unless for some reason you feel that your internal infrastructure isn't safe. And if you are that paranoid about your own hardware that's a little scary because then its not far fetch to say that you don't trust your admins either.

Just thoughts off the top of my head. I'm just not really seeing why that group policy would be forced like it is.

I am a little disappointed though. While I don't see much value in enabling that feature I'm a little surprised that its not working and not well documented. It could be that Samba just doesn't play well with the AD GP because its an MS product. I'm wondering if the issue isn't with Samba but how the machine is on the network. Perhaps the FN server isn't negotiating(or doesn't support) the necessary tokens/cert/whatever to allow Samba to use the certification in your configuration. Kind of makes me wish I had a setup like yours to play with...

Personally, I'd put a ticket in at support.freenas.org and see what comes of it. I'm not sure what kind of timetable you are on, if you need it working in 48 hours you might be disappointed with the ticket's response. But the developers usually are very responsive regarding tickets.